Pass netrc to external configuration service

[pinpox]

The external configuration API currently does not get passed any credentials for repositories.

This makes it impossible to use external configuration services with private repositories when the service needs access to the repository's contents.

As an example: I have a multi-user instance running, on which some users have private repositories. The instance uses my configuration service for nix flakes, which needs to read a file contained in the repos itself. This is currently not possible for private repositories as neither the credentials nor the repo's contents itself are POST'ed to the external configuration service.

My proposal: Extend the schema of the JSON that gets POST'ed to the configuration service with the contents of the netrc/credentials that are used to clone the repositories on the runners.

With this, the external configuration service migth also be a viable workaround for the proposed pipeline compile step

[anbraten]

I like the idea. From a security perspective it should also be fine as the instance admin sets the url of the config service and needs to make sure he trusts the config service

[anbraten]

The forge has a function func (c *config) Netrc(u *model.User, _ *model.Repo) (*model.Netrc, error) { which you can use if you can provide a repo and user.

[pinpox]

But we have no forge in that function, should I just pass it in as additional argument? Or pass in the netrc directly?

[anbraten]

I would use sth like:

netrc, err := cf.forge.Netrc(cf.user, cf.repo)
			if err != nil {
				return nil, fmt.Errorf("could not get Netrc data from forge: %w", err)
			}
			newConfigs, useOld, err := cf.configExtension.FetchConfig(fetchCtx, cf.repo, cf.pipeline, files, netrc)
			if err != nil {
				log.Error().Err(err).Msg("could not fetch config via http")
				return nil, fmt.Errorf("could not fetch config via http: %w", err)
			}

in server/forge/configFetcher.go and pass the netrc data from there.

[pinpox]

I opened a PR adding it #2310
Not sure if the error handling is optimal, let me know what needs to change.
I'm also in the matrix channel for faster communication if you prefer

[anbraten]

Thanks for the PR looks pretty simple and clean to me.